Tripwire has published the results of an extensive study conducted for Tripwire by Dimensional Research. The Tripwire study evaluated the confidence of IT professionals regarding the efficacy of seven key security controls, which must be in place to quickly detect a cyber attack in progress. Study respondents included 763 IT professionals from various industries, including 134 participants from financial services. According to the Identity Theft Resource Center’s 2015 Breach List report, the number of data breaches within the banking, credit and financial sectors nearly doubled between 2014 and 2015. Despite this increase, the majority of IT professionals in financial services displayed high levels of confidence in their ability to detect a data breach, even though they were unsure how long it would take for their security tools to discover key indicators of compromise. While sixty percent of financial respondents either did not know or only had a general idea of how long it would take to isolate or remove an unauthorized device from their organizations’ networks, eighty-seven believed they could perform this task within minutes or hours. Additional financial services findings include:
- Only thirty-seven percent said their automated tools were able to identify locations, department and other critical details of network devices with unauthorized configuration changes.
- Eighty-two percent believe they could detect configuration changes to a network device on their organizations’ networks within minutes or hours. However, fifty-nine percent acknowledged they did not know exactly how long it would take to do this.
- Ninety-two percent believe vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on their network. However, seventy-seven percent say they automatically discover eighty percent or less of the devices on their networks.
- Twenty-nine percent do not detect all attempts to access files or network-accessible file shares without the appropriate privileges.
- Forty percent said less than eighty percent of patches are successfully fixed in a typical patch cycle.
“Compliance and security are not the same thing,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion. Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization.”
Tripwire’s study is based on seven key security controls required by a wide variety of compliance regulations, including PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS 20 Critical Controls and IRS 1075. These controls also align with the United States Computer Emergency Readiness Team (US-CERT) recommendations and international security guidance such as the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.
The recommendations and guidance include:
- Accurate hardware inventory
- Accurate software inventory
- Continuous configuration management and hardening
- Comprehensive vulnerability management
- Patch management
- Log management
- Identity and access management
When implemented across an organization, these controls deliver specific, actionable information that is necessary to defend against the most pervasive and dangerous cyber attacks. It is vital for organizations to identify indicators of compromise quickly so that appropriate action can be taken before significant damage is done. According to Mandiant’s M-Trends 2015 report, the average time required to detect an advanced persistent threat on a corporate network is 205 days. Verizon’s 2016 Data Breach Investigations Report revealed that eighty-three percent of compromises took weeks to detect. “The path to a mature security deployment is through visibility because you cannot protect what you cannot see,” said Travis Smith, senior security research engineer for Tripwire. “Understanding what you have and how you can potentially be compromised allows security teams to focus on where attackers are likely to strike. The cost of being proactive is always less than the cost of being reactive.”